back to article With WPA3, Wi-Fi will be secure this time, really, wireless bods promise

Wi-Fi security should become a bit less laughable with the pending introduction of the WPA3 protocol this year. In conjunction with this week's commencement of CES – letters that once stood for Consumer Electronics Show and now come meaning-free – the Wi-Fi Alliance on Monday heralded the arrival of WPA3 as the successor to …

  1. Lee D Silver badge

    "WPA2 has some problems. It allows anyone with a bit of software to boot people off a Wi-Fi network with a DEAUTH attack. And it's not particularly secure."

    I was a little surprised to find that the Cisco Meraki wireless kit in work takes advantage of this. Pretty much, you get a list of every wireless network "nearby" yours, with the option to "quarantine" it. If you do that, your own kit performs de-auth against any nearby clients trying to join those networks, which results in only "your" networks working and everything else literally disconnecting for everyone within seconds.

    Obviously, being an unlicensed channel, this is possible but I was more than a little concerned about the legal consequences of such things. Being a large school, our site is in the middle of acres of fields, so we only ever see our own network and "rogue" networks trying to pretend to be ours (usually the kids trying to fool their friends) or things like public wifi from nearby coaches. But I was quite shocked that not only is it possible to easily block foreign SSIDs from even operating, but that this is sold as a feature (Air Marshal) that you can apply to ANY SSID you don't like, rather than just those trying to masquerade as your own.

    It is, however, quite effective... if you set up an Android phone as a hotspot on the site, you'll find that no device is able to connect to it for more than a second without getting kicked off by the site-wide wireless. And, yes, the logs literally tell you that it basically performs a de-auth attack to do that.

    If WPA3 does indeed find a way to stop this, I imagine that they'll find some other way to do the same, but still... it's a scary thing to have as just an advertised feature on a common managed wireless product. If someone did want to be malicious you could easily kill the wifi to an entire swathe of offices, houses, etc. in minutes.

    1. Anonymous Custard
      Pirate

      It's standard for some hotel chains and conference venues. They de-auth personal hotspots and the like to force you into their expensive, slow and insecure WiFi where they can also keep an eye on you and "tailor things" like served ads and services to your needs.

      The quicker we can get rid of such actions the better.

      1. Alan Brown Silver badge

        "It's standard for some hotel chains and conference venues."

        Only for those who like $600k fines (USA - Mariott and Smart CIty) or criminal prosecution (UK - computer misuse act as well as Ofcom). It's the same across most of Europe.

        All you need to do stateside is notify the FCC. They've been pretty good at stomping on this behaviour.

        1. Charles 9

          "All you need to do stateside is notify the FCC. They've been pretty good at stomping on this behaviour."

          Because it's considered jamming. Under federal law, only the military can use jammers, and only during military action.

          1. kain preacher

            I do believe that changed after 9/11.

            1. Charles 9

              Communications Act of 1934 says otherwise.

              Where in the Patriot Act or wherever is the jamming restriction specifically relaxed, because the restriction is in the Communications Act of 1934 (FCC link with the pertinent details). Note it doesn't list exceptions and they specifically instructed local LEOs to knock it off some time back.

    2. Blotto Silver badge

      @Lee D

      the full branded cisco gear does the same. Its handy for if you have a site surrounded by green space and you want to ensure people can only access your wifi to prevent MIM attacks etc.

      i've used the Meraki Air Marshall at home, but its not so effective with just 1 access point.

      1. Roland6 Silver badge

        >the full branded cisco gear does the same.

        I seem to remember that AirDefense also did similar.

        The key was in setting it up so that AP's could correctly triangulate clients within your premises. So if you were running a secure network, you could prevent people from within your building, connecting to external networks or unapproved ad-hoc networks. Likewise, you could terminate connections (to your network) for people leaving the building.

        As someone else has noted WPA3 will need to support this security feature, although it's implementation is likely to differ.

    3. SImon Hobson Bronze badge

      Blocking another network with de-auth packets is illegal both in the UK and USA - there have been fines for it.

      1. ibmalone

        > Blocking another network with de-auth packets is illegal both in the UK and USA - there have been fines for it.

        I was wondering as soon as I saw the description, even if there was no specific law on the wireless/radio aspect it might touch the Computer Misuse Act here.

      2. kain preacher

        that would fall under radio jammers and only police and military are allowed to use them. I'm surprised Cisco has not been nailed for selling illegal jammers to the puplic

    4. TheVogon

      "I was more than a little concerned about the legal consequences of such things"

      It would be very illegal:

      https://www.ofcom.org.uk/spectrum/interference-enforcement/spectrum-offences/jammers

      The maximum penalty is two years’ imprisonment and/or an unlimited fine.

    5. Alan Brown Silver badge

      "If you do that, your own kit performs de-auth against any nearby clients trying to join those networks, which results in only "your" networks working and everything else literally disconnecting for everyone within seconds."

      If anyone complains to Ofcom (or the FCC if you're in the USA) you'll find yourself in for a world of hurting. It's classified as deliberate interference and penalised as such.

      If they're spoofing your SSIDs then it'll probably squeak past the lawyers but actively interfering with anything else is on extremely dodgy (and expensive) ground. Ask the Marriott chain about that.

      (I have the wifi network here setup to log those SSIDs in use and reconfigure the network so that nearby access points jump to other channels. After that it's a matter of taking a walk to the location and having 'a quiet chat' with whoever's operating the rogue AP - which is almost always a phone unintentionally left in tethering mode.)

      In the UK, DEAUTH attacks additionally fall under the Computer Misuse Act, which has a lot more teeth than Ofcom. As the admin, I really wouldn't want to risk personal prosecution for activating that "feature" on our APs.

      1. Roland6 Silver badge

        >After that it's a matter of taking a walk to the location and having 'a quiet chat' with whoever's operating the rogue AP - which is almost always a phone unintentionally left in tethering mode.

        The chat is probably more beneficial in increasing a user's security awareness than simply blocking their device and them getting frustrated at things not working for reasons unknown.

        In clearing one client's building of ad-hoc networks, we identified a business need and so modified the requirements for the WiFi infrastructure to include the capability (and procedure to invoke) for user departments to request a private WiFi network and non-corporate Internet connection (eg. needed to permit some staff to monitor how the website looks to the public).

  2. defiler

    It's all secure

    Until it gets broken.

    Let's be honest - the amount of CPU you're able to carry about with you is very different to that when I first played with a wireless network in 1999. If there's a little hole, it's far easier to exploit nowadays. So the holes are made smaller, but the CPUs are made bigger...

  3. Anonymous Coward
    Anonymous Coward

    Will this require new hardware?

    I'm sure vendors won't update their routers with it because they'll want the sale, but will e.g. DD-WRT and OpenWRT be able to deliver this via software, at least on newer AC class routers that have the SoC horsepower?

    If so it could be deployed pretty quickly, as commercial APs with long term support like Cisco's would be updated, iOS and Android would be updated, so there would be a fair number of WPA3 devices by this time next year. If we have to wait for new chips, it will take years before it is the norm.

    1. Charlie Clark Silver badge

      Re: Will this require new hardware?

      Encryption is best done in hardware so new stuff is almost inevitable as a lot of routers won't have CPUs beefy enough to everything in software only.

      I think this is reasonable given the timeframe: announcement that they're going to start to work on a new framework. WPA2 with fixes is going to be around for a while yet and is good enough for most situations. People who can't trust it run VPNs over it anyway.

      1. Ken Hagan Gold badge

        Re: Will this require new hardware?

        I don't know but...

        The bit that is best hardware-accelerated is the encryption of payload data once you've authenticated and agreed a key with the other party. The bits that are most likely to be new in WPA3 are "everything else".

        WPA2-with-fixes might offer a stepping stone but, as the OP said, good luck getting firmware updates for your existing Things (as in, internet-thereof). My guess would be that upgrading to WPA3 may be no harder than upgrading to WPA2-with-fixes.

        1. Anonymous Coward
          Anonymous Coward

          Re: Will this require new hardware?

          I know it is fixing the initial key exchange since that's what KRACK attacks. But it is also doing other stuff - adding security to open wifi networks, making it easier to set up security on devices without a display (i.e. IoT) but the one that's potentially problematic to the idea of upgrading to WPA3 is the addition of a new 192 bit algorithm from the CSNA suite for higher security needs (i.e. government, military, etc.)

          If that new 192 bit algorithm is the only thing that would slow down on older routers that would have to do it in hardware, I hope DD-WRT & OpenWRT provides updates to support WPA3 anyway. They'd just have to say that if you want to do the 192 bit stuff you really should get a newer router that supports WPA3 directly, but since the 192 bit thing is superfluous for the type of home/SME environments that use third party firmware that's fine.

      2. rh587

        Re: Will this require new hardware?

        Encryption is best done in hardware so new stuff is almost inevitable as a lot of routers won't have CPUs beefy enough to everything in software only.

        As Ken Hagen notes, the bit that needs hardware acceleration is surely the stream processing once you are passing data.

        Establishing the connection and authentication is surely more of a software task - whether you're just using a PSK or negotiating a 4-way DH handshake to establish a unique session key for each client with Perfect Forward Secrecy.

        To that end, it could be rolled out quite rapidly through updates/patches (should a vendor be inclined to do so). Hardware would be needed if an entirely new encryption scheme was being proposed that couldn't use the existing AES-based ASICs.

      3. Alan Brown Silver badge

        Re: Will this require new hardware?

        There's a lot of older kit with hardwired wifi onboard.

        If WPA3 can't be run on existing WPA2-capable kit then we're going to be looking at the same 15 year overlap seen between WEP and WPA

    2. Anonymous Coward
      Anonymous Coward

      Re: Will this require new hardware?

      I reckon routers, smartphones and PCs are the least of the problem in changing to a new encryption standard. The drag will be from the host of consumer devices we connect to WiFi networks nowadays, which will never be updated. Nobody's going to want to spend a fortune to suddenly rapidly every "smart" TV, set-top box, printer, doorbell, network camera, treadmill, games console, etc etc.

  4. Anonymous Coward
    Anonymous Coward

    "I'm sure vendors won't update their routers with it because they'll want the sale, [...]"

    Is it likely that client PCs will get updated to support WPA3? Updated drivers - or dependent on some up to date hardware function?

    1. fobobob

      WPA

      They managed to hack WPA in on hardware that was previously designed for WEP, so it's probably *technically* possible. The concern (as people in the comments here suggest) is that these guys want their sales; unfortunately, it seems unlikely that updates for older hardware will be widespread.

      1. Charles 9

        Re: WPA

        The results usually weren't pretty. I had to switch out a DIR-615 because trying to use WPA on it taxed it so much it kept rebooting.

  5. Anonymous Coward
    Anonymous Coward

    ...and WPA3 is delayed in order to bake in some backdoors...

    1. phuzz Silver badge

      It's an open standard, so good luck hiding those backdoors.

      1. Anonymous South African Coward Bronze badge

        Not if the hardware it resides on can have an extra back orifice or two baked in...

        Or some silly poofty vulnerability is included as standard, like telnet to a management port, for example.

  6. Anonymous Coward
    Anonymous Coward

    The new "Commercial National Security Algorithm"

    At least they are being up-front here: this is an algorithm suite only for corporations to use, not suitable for use by military, because you know, it's not actually quite as secure as we say.

    1. Anonymous Coward
      Anonymous Coward

      Re: The new "Commercial National Security Algorithm"

      The military would probably use it for unclassified networks, but I'll bet they don't support ANY wireless on classified networks. Why would you go to all the trouble of worrying about edge cases like TEMPEST and then deliberately broadcast your data? Even if you used your own algorithm you thought was secure that seems like quite the unnecessary risk, because you are hoping no one else figures out a weakness in the algorithm you didn't see.

      1. Charles 9

        Re: The new "Commercial National Security Algorithm"

        "The military would probably use it for unclassified networks, but I'll bet they don't support ANY wireless on classified networks."

        So how do they communicate securely in the field where wires aren't likely to be available?

        1. Anonymous Coward
          Anonymous Coward

          Re: The new "Commercial National Security Algorithm"

          Not with wifi or other open standards.

  7. Anonymous Coward
    Anonymous Coward

    Certificate

    "We'd point you to the NSA's Information Assurance Directorate website discussing CNSA, but presently Chrome throws a certificate warning that "Your connection is not private." Imagine that from an intelligence agency."

    You mean, you *haven't* manually configured your browser to trust certificates signed by "DoD Root CA 3" ?! How remiss of you.

    $ openssl s_client -connect www.iad.gov:443

    CONNECTED(00000003)

    depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3

    verify error:num=19:self signed certificate in certificate chain

    ---

    Certificate chain

    0 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=NSA/CSS/CN=www.iad.gov

    i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID SW CA-37

    1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID SW CA-37

    i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3

    2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3

    i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3

    ---

    Even if you trust the certificate, you also have to accept a bunch of cookies and redirects from the BIG-IP load balancer they use.

    You can just about get the page like this:

    $ curl -c /dev/null -L -k https://www.iad.gov/iad/programs/iacnsa-suite.cfm

    (Add -v to see the full nonsense)

    1. GreenReaper

      Re: Certificate

      Reminds me of the Bugzilla entry requesting the inclusion of the U.S. Federal Government's root certificate, coming up to its tenth year.

      It looks like they're still working towards a solution, but it's a slow grind. Of course, they're still doing better than Brazil.

  8. bdg2

    Why would we believe this will be better than their previous bodged efforts when they're again designing it behind closed doors and not letting any real security experts look at it until after it's released as a standard.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like